According to Google, Microsoft Security Essentials is currently detecting some versions of the Chrome browser as malware. Could someone have hacked Google and put a virus into some Chrome updates? Or, is there another reason an antivirus product might flag legitimate software as bad?

1 Answer
1

False alarms of anti-malware are quite common because of the way these kind of software works and the theoretical limitations.

It is uncommon for anti-malware to have an exact copy of the malware included for a number of reasons:

There are many, many bad programs out there, so the anti-malware would be several hundreds of gigabytes in size.

Malware may exist in many various, it may even modify itself.

Distribution of malware has a legal implications, even if it is distributed as part of a security solution.

So how does malware detection work in practice?

The most common way is the usage of signatures which are calculated based on the malware files. The anti-malware-company looks for distinct fingerprints in the malware binary which can be used to identify it.

Unfortunately other legitimate files may have the same fingerprints. For example if they company uses a part of an uncommon statically linked library.

Another approach is to analyse the behaviour of an application. For example you don't expect a text processing program to write to the boot sector.

Browsers however do connect to the internet and write a number of files. They are host applications for addons, plugins and extensions. So it is quite likely that they trigger the behaviour detection.

Both approaches often come with a whitelist of known good programs. It may, however, take some time until a new release of a whitelisted software is added.